Wednesday, May 20, 2009

Winamp MAKI Parsing Vulnerability Details

About two months ago, we found a vulnerability in the Winamp 5.55 MAKI script parsing module. We reported our findings to AOL. AOL then released Winamp version 5.552 with the fix. Here are the details:

Winamp MAKI Parsing Integer Overflow Vulnerability

Vendor:
AOL/Nullsoft

Severity:
High

Systems Affected:
Winamp 5.55 and prior versions that support Modern Skins.

Overview:
A vulnerability exists in Winamp. The vulnerability is due to an incorrect type cast while parsing a .maki file (a compiled script file), causing a buffer overflow. An attacker could provide a user with a modern skin (via a webpage download for example) that uses the maki script to execute arbitrary code within the context of the current user.

Technical Details:
Winamp’s modern skins scripting engine reads strings from the .maki file. The format of these strings is composed as follows (multi-byte values are in little endian byte order):

Offset Size Description
--------- ------ --------------------------------------
0x0000 4 Unknown (it seems to be a type code)
0x0004 2 Length (Y)
0x0006 Y Function name

When gen_ff.dll parses a .maki file, it reads two bytes and does a sign extension, which results in a stack buffer overflow.

The following shows the local buffer size (0x10008):

.text:12094DAB var_10144= byte ptr -10144h
.text:12094DAB MultiByteStr= byte ptr -13ch

If a string size is greater than or equal to 0x8000, edi will be 0xFFFFhhhh (where, 0xhhhh is the two byte input)

.text:12094F62 loc_12094F62:
.text:12094F62 mov ax, [ebx]
.text:12094F65 movsx edi, ax ; sign extension
.text:12094F68 inc ebx
.text:12094F69 push edi ; Size
.text:12094F6A inc ebx
.text:12094F6B lea eax, [ebp+MultiByteStr]
.text:12094F71 push ebx ; Src
.text:12094F72 push eax ; Dst, buffer is located in the stack
.text:12094F73 call memmove

.text:120951E5 loc_120951E5:
.text:120951E5 mov edi, [ebx]
.text:120951E7 add ebx, 4
.text:120951EA mov ax, [ebx]
.text:120951ED movsx esi, ax ; sign extension
.text:120951F0 inc ebx
.text:120951F1 push esi ; Size
.text:120951F2 inc ebx
.text:120951F3 lea eax, [ebp+var_10144]
.text:120951F9 push ebx ; Src
.text:120951FA push eax ; Dst, buffer is located in the stack
.text:120951FB call memmove

Reproduction:
I used the Bento skin’s maki file. The highlighted text in the following figure shows the two byte size (value is 0x0011) and the following 17 characters. I changed the size to 0xFFFF and inserted a lot of 0x41 (obviously more than 0xFFFF). Then BANG! EIP was overwitten with 0x41414141.



Resolution:
Sourcefire released detection for this issue (gid:3 sid:15433) on 2009-03-31
Vendor released Winamp 5.552 on 2009-04-11

Update:
This issue now has a Bugtraq entry, available here: http://www.securityfocus.com/bid/35052

No comments:

Post a Comment